PGP Universal Server Versions Prior to 3.2.x May Potentially be Vulnerable Against TLS/SSL v3 Renegotiation Attacks

book

Article ID: 157244

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

Vulnerability scanners or penetration testing software may detect PGP Universal Server as vulnerable against TLS renegotiation attacks as described in:

CVE-2009-3555 - "Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability"
CVE-2011-1473 - "Multiple Vendor SSL/TLS Renegotiation Denial Of Service Vulnerability"

Cause

This potential vulnerability is caused by a design flaw in SSL which is also included in the OpenSSL software used in PGP Universal Server.

Resolution

To resolve this issue, upgrade PGP Universal Server to one of the following versions:

PGP Universal Server 3.2.x

PGP Universal Server 3.0.1 SP1 HF1 

PGP Universal  Server 2.12 SP4 HF1 

 

To quickly test if your PGP Universal Server may be vulnerable, you can either use OpenSSL:

# openssl s_client -connect keys.domain.tld:443

Although advertised "Secure Renegotiation IS supported" issuing "R" fails on version 3.2.1 as renegotiating was disabled.

Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: D3F938035984C99559F9F125AA547B6DE75BBC9F3442BEC3CED06020364958CB
    Session-ID-ctx:
    Master-Key: AD044ECB6DD235DAC7E5C6E9B282242E23FD2ABE14A37DAC2EF50D7083239723170E0CFFE6013C2840C7546649F19DEC
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1350997633
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
R
RENEGOTIATING
30577:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
 

 

Or refer to the proof of concept exploits listed in the following links:

http://www.securityfocus.com/bid/48626/info

http://www.securityfocus.com/bid/36935/info


Applies To

PGP Universal Server versions prior to 3.2.x (except 3.0.1 SP1 HF1 or 2.12 SP4 HF) may be vulnerable.

PGP Universal Server versions since 3.2.0, PGP Universal version 3.0.1 SP1 HF1 or 2.12 SP4 HF1 are not vulnerable.

  

For CVE-2009-3555 version OpenSSL 0.9.8k and below might be affected
For CVE-2011-1473 version OpenSSL 0.9.8k and below, version OpenSSL 1.0 or OpenSSL 1.0.2 might be affected

Please note that although PGP Universal Server shows an older OpenSSL version, it will contain all the latest patches as of the time of the release date.
For example on a PGP Universal 3.2.1 MP3 server, the fix for CVE-2009-3555 was applied but it shows an older OpenSSL version which would be vulnerable without the applied patch.
 

# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008